* [git.ipfire.org] IPFire 2.x development tree branch, next, updated. a4ec38abb4c8796969e8ff2057519b60dc1b7ddc
@ 2025-10-25 12:58 Michael Tremer
0 siblings, 0 replies; only message in thread
From: Michael Tremer @ 2025-10-25 12:58 UTC (permalink / raw)
To: ipfire-scm
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via a4ec38abb4c8796969e8ff2057519b60dc1b7ddc (commit)
via 0ec6771a531787b89b7315f6725d6f73377513d0 (commit)
via 1f05b261720acb779c7e24b27ec90597751e5690 (commit)
via ed737ca7b89ade1e23aa512d2fa5596a2df01a1d (commit)
via ba820e779a41ad8de20a07dbebb777fc8bfb0c41 (commit)
from c9cd1dad5b27d527c6c516c3c9b914e7645d0385 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit a4ec38abb4c8796969e8ff2057519b60dc1b7ddc
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Sat Oct 25 12:58:10 2025 +0000
core199: Move nasm symlink to the rootfile
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 0ec6771a531787b89b7315f6725d6f73377513d0
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Sat Oct 25 12:57:42 2025 +0000
core199: Ship bind
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 1f05b261720acb779c7e24b27ec90597751e5690
Author: Matthias Fischer <matthias.fischer@ipfire.org>
Date: Fri Oct 24 23:44:53 2025 +0200
bind: Update ot 9.20.15
For details see:
https://downloads.isc.org/isc/bind9/9.20.15/doc/arm/html/notes.html#notes-for-bind-9-20-15
Should anyone wonder where 9.20.14 has gone:
"The BIND 9.20.14 release was withdrawn after the discovery of a regression
in a security fix in it during pre-release testing."
"Notes for BIND 9.20.15
Security Fixes
DNSSEC validation fails if matching but invalid DNSKEY is found.
(CVE-2025-8677)
Previously, if a matching but cryptographically invalid key was
encountered during DNSSEC validation, the key was skipped and not
counted towards validation failures. named now treats such DNSSEC keys
as hard failures and the DNSSEC validation fails immediately, instead
of continuing with the next DNSKEYs in the RRset.
ISC would like to thank Zuyao Xu and Xiang Li from the All-in-One
Security and Privacy Laboratory at Nankai University for bringing this
vulnerability to our attention. [GL #5343]
Address various spoofing attacks. (CVE-2025-40778)
Previously, several issues could be exploited to poison a DNS cache
with spoofed records for zones which were not DNSSEC-signed or if the
resolver was configured to not do DNSSEC validation. These issues were
assigned CVE-2025-40778 and have now been fixed.
As an additional layer of protection, named no longer accepts DNAME
records or extraneous NS records in the AUTHORITY section unless these
are received via spoofing-resistant transport (TCP, UDP with DNS
cookies, TSIG, or SIG(0)).
ISC would like to thank Yuxiao Wu, Yunyi Zhang, Baojun Liu, and Haixin
Duan from Tsinghua University for bringing this vulnerability to our
attention. [GL #5414]
Cache-poisoning due to weak pseudo-random number generator.
(CVE-2025-40780)
It was discovered during research for an upcoming academic paper that a
xoshiro128** internal state can be recovered by an external 3rd party,
allowing the prediction of UDP ports and DNS IDs in outgoing queries.
This could lead to an attacker spoofing the DNS answers with great
efficiency and poisoning the DNS cache.
The internal random generator has been changed to a cryptographically
secure pseudo-random generator.
ISC would like to thank Prof. Amit Klein and Omer Ben Simhon from
Hebrew University of Jerusalem for bringing this vulnerability to our
attention. [GL #5484]
New Features
Add dnssec-policy keys configuration check to named-checkconf.
A new option -k was added to named-checkconf that allows checking the
dnssec-policy keys configuration against the configured key stores. If
the found key files are not in sync with the given dnssec-policy, the
check will fail.
This is useful to run before migrating to dnssec-policy. [GL #5486]
Bug Fixes
Missing DNSSEC information when CD bit is set in query.
The RRSIGs for glue records were not being cached correctly for CD=1
queries. This has been fixed. [GL #5502]
rndc sign during ZSK rollover will now replace signatures.
When performing a ZSK rollover, if the new DNSKEY is omnipresent, the
rndc sign command now signs the zone completely with the successor key,
replacing all zone signatures from the predecessor key with new ones.
[GL #5483]
Use signer name when disabling DNSSEC algorithms.
disable-algorithms could cause DNSSEC validation failures when the
parent zone was signed with the algorithms that were being disabled for
the child zone. This has been fixed; disable-algorithms now works on a
whole-of-zone basis.
If the zone's name is at or below the disable-algorithms name the
algorithm is disabled for that zone, using deepest match when there are
multiple disable-algorithms clauses. [GL #5165]
Preserve cache when reload fails and reload the server again.
This fixes an issue where failing to reconfigure/reload the server
would fail to preserve the views' caches for subsequent server
reconfigurations/reloads. [GL #5523]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit ed737ca7b89ade1e23aa512d2fa5596a2df01a1d
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Sat Oct 25 12:56:58 2025 +0000
nasm: Move rootfile to the x86_64 subdirectory
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit ba820e779a41ad8de20a07dbebb777fc8bfb0c41
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Fri Oct 24 18:42:55 2025 +0200
nasm: Use only with x86_64
- nasm is linked in to syslinux and libjpeg.
- libjpeg will only require nasm if CET has been enabled in glibc and the architecture is
x86_64. CET is not enabled in IPFire, therefore libjpeg does not require nasm for
building in x86_64 and is not required at all for libjpeg under aarch64 or riscv64
- syslinux requires nasm to build but only in x86_64.
- This patch sets the supported architecture to x86_64 only. The build of nasm will be
skipped in aarch64 and riscv64.
- The x86_64 build ran as normal. The build was also tested for aarch64 and the build of
nasm was skipped. syslinux is skipped and libjpeg built successfully confirming that
nasm does not need to be built for aarch64 or riscv64.
- The patch is removed as it is only required for building nasm for an arm architecture
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
config/rootfiles/common/bind | 10 +++++-----
config/rootfiles/common/{ => x86_64}/nasm | 0
.../{oldcore/100 => core/199}/filelists/bind | 0
config/rootfiles/core/199/filelists/nasm | 1 -
config/rootfiles/core/199/filelists/x86_64/nasm | 1 +
lfs/bind | 4 ++--
lfs/nasm | 2 +-
...nasm-3.00_fix_typo_in_le32toh_function_name.patch | 20 --------------------
8 files changed, 9 insertions(+), 29 deletions(-)
rename config/rootfiles/common/{ => x86_64}/nasm (100%)
copy config/rootfiles/{oldcore/100 => core/199}/filelists/bind (100%)
delete mode 120000 config/rootfiles/core/199/filelists/nasm
create mode 120000 config/rootfiles/core/199/filelists/x86_64/nasm
delete mode 100644 src/patches/nasm-3.00_fix_typo_in_le32toh_function_name.patch
Difference in files:
diff --git a/config/rootfiles/common/bind b/config/rootfiles/common/bind
index db57a9d40..eff7149ca 100644
--- a/config/rootfiles/common/bind
+++ b/config/rootfiles/common/bind
@@ -241,18 +241,18 @@ usr/bin/nsupdate
#usr/include/ns/types.h
#usr/include/ns/update.h
#usr/include/ns/xfrout.h
-usr/lib/libdns-9.20.13.so
+usr/lib/libdns-9.20.15.so
#usr/lib/libdns.la
#usr/lib/libdns.so
-usr/lib/libisc-9.20.13.so
+usr/lib/libisc-9.20.15.so
#usr/lib/libisc.la
#usr/lib/libisc.so
-usr/lib/libisccc-9.20.13.so
+usr/lib/libisccc-9.20.15.so
#usr/lib/libisccc.la
#usr/lib/libisccc.so
-usr/lib/libisccfg-9.20.13.so
+usr/lib/libisccfg-9.20.15.so
#usr/lib/libisccfg.la
#usr/lib/libisccfg.so
-usr/lib/libns-9.20.13.so
+usr/lib/libns-9.20.15.so
#usr/lib/libns.la
#usr/lib/libns.so
diff --git a/config/rootfiles/common/nasm b/config/rootfiles/common/x86_64/nasm
similarity index 100%
rename from config/rootfiles/common/nasm
rename to config/rootfiles/common/x86_64/nasm
diff --git a/config/rootfiles/core/199/filelists/bind b/config/rootfiles/core/199/filelists/bind
new file mode 120000
index 000000000..48a0ebaef
--- /dev/null
+++ b/config/rootfiles/core/199/filelists/bind
@@ -0,0 +1 @@
+../../../common/bind
\ No newline at end of file
diff --git a/config/rootfiles/core/199/filelists/nasm b/config/rootfiles/core/199/filelists/nasm
deleted file mode 120000
index 94ced6644..000000000
--- a/config/rootfiles/core/199/filelists/nasm
+++ /dev/null
@@ -1 +0,0 @@
-../../../common/nasm
\ No newline at end of file
diff --git a/config/rootfiles/core/199/filelists/x86_64/nasm b/config/rootfiles/core/199/filelists/x86_64/nasm
new file mode 120000
index 000000000..4a75a8b81
--- /dev/null
+++ b/config/rootfiles/core/199/filelists/x86_64/nasm
@@ -0,0 +1 @@
+../../../../common/x86_64/nasm
\ No newline at end of file
diff --git a/lfs/bind b/lfs/bind
index 9befe9bfc..e5f8de750 100644
--- a/lfs/bind
+++ b/lfs/bind
@@ -25,7 +25,7 @@
include Config
-VER = 9.20.13
+VER = 9.20.15
THISAPP = bind-$(VER)
DL_FILE = $(THISAPP).tar.xz
@@ -43,7 +43,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = c3738ebe468849293bec3d89499d7607b76fb636c7d21833dd56414fb569c1edfaa84d152ff9febfe0ebd5c65fa351423fbfbeaaee294d57949eb45631fd5623
+$(DL_FILE)_BLAKE2 = f272fc5e7a107b28cb71b55d2e87cfb2b215612c38289483044445f6c5ae57b0eb7003a368386122fb1fed551ac7be2e4e9bb34c2f8908e379e1aaf4e761c394
install : $(TARGET)
diff --git a/lfs/nasm b/lfs/nasm
index bd56757d9..26f91cc1b 100644
--- a/lfs/nasm
+++ b/lfs/nasm
@@ -31,6 +31,7 @@ DL_FILE = $(THISAPP).tar.xz
DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
+SUP_ARCH = x86_64
###############################################################################
# Top-level Rules
@@ -70,7 +71,6 @@ $(subst %,%_BLAKE2,$(objects)) :
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
- cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/nasm-3.00_fix_typo_in_le32toh_function_name.patch
cd $(DIR_APP) && ./configure \
--prefix=/usr
cd $(DIR_APP) && make $(MAKETUNING)
diff --git a/src/patches/nasm-3.00_fix_typo_in_le32toh_function_name.patch b/src/patches/nasm-3.00_fix_typo_in_le32toh_function_name.patch
deleted file mode 100644
index 3b198b2d8..000000000
--- a/src/patches/nasm-3.00_fix_typo_in_le32toh_function_name.patch
+++ /dev/null
@@ -1,20 +0,0 @@
---- nasm-3.00/include/bytesex.h.orig 2025-10-03 21:41:41.000000000 +0200
-+++ nasm-3.00/include/bytesex.h 2025-10-06 15:03:06.434849426 +0200
-@@ -215,7 +215,7 @@
- } __attribute__((packed));
- static inline uint32_t getu32(const void *p)
- {
-- return l32toh(((const struct unaligned32 *)p)->v);
-+ return le32toh(((const struct unaligned32 *)p)->v);
- }
- static inline uint32_t setu32(void *p, uint32_t v)
- {
-@@ -253,7 +253,7 @@
- static inline uint32_t getu32(const void *p)
- {
- const uint32_t _unaligned *pp = p;
-- return l32toh(*pp);
-+ return le32toh(*pp);
- }
- static inline uint32_t setu32(void *p, uint32_t v)
- {
hooks/post-receive
--
IPFire 2.x development tree
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2025-10-25 12:58 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-10-25 12:58 [git.ipfire.org] IPFire 2.x development tree branch, next, updated. a4ec38abb4c8796969e8ff2057519b60dc1b7ddc Michael Tremer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox